Efficient Proving for Practical Distributed Access-Control Systems

Executive Summary

The authors present a new technique for generating a formal proof that an access request satisfies access-control policy, for use in logic-based access-control frameworks. The approach is tailored to settings where credentials needed to complete a proof might need to be obtained from, or reactively created by, distant components in a distributed system. In such contexts, the approach substantially improves upon previous proposals in both computation and communication costs, and better guides users to create the most appropriate credentials in those cases where needed credentials do not yet exist. At the same time, the strategy offers strictly superior proving ability, in the sense that it finds a proof in every case that previous approaches would (and more).